New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 724886 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in cf2_blues_init

Project Member Reported by ClusterFuzz, May 21 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6157393531764736

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  cf2_blues_init
  cf2_font_setup
  cf2_getGlyphOutline
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=469963:470445

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6157393531764736


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ranjitkan@chromium.org w...@gnu.org
Labels: M-60 Test-Predator-Correct-CLs
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Assigning to concern owner from Predator results --
The result is a list of CL's that change the crashed files. 

Author: dan sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/61b2fc718910a5ab2a75ec5026b239ff33bccfdc
Time: Wed Mar 23 19:21:44 2016 -0400
The CL last changed line 58 of file cpdf_simplefont.cpp, which is stack frame 6.


Author: Werner Lemberg
Project: chromium-freetype
Changelist: https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+/283c8ed817a645dfd08b5e1fe78a34bd91140389
Time: Sat Apr 13 13:02:31 2013
The CL last changed line 197 of file cf2blues.c, which is stack frame 0. 

@dsinclair: Assigning to you, kindly take a look into it. Please help us to find an owner if not with respect to your change.

Thanks.!
Cc: drott@chromium.org dsinclair@chromium.org
Owner: npm@chromium.org

Comment 3 by npm@chromium.org, May 23 2017

Cc: lemzw...@googlemail.com npm@chromium.org
Owner: ----
Status: ExternalDependency (was: Assigned)
Another freetype integer overflow.
Components: Internals>Plugins>PDF
Integer overflows are now tested (again) with google's fuzzer; I've fixed a bunch of them over the last few days, so please test whether you still have problems.

Note that I don't have access rights to get the above test case.
Cc: -npm@chromium.org
Owner: npm@chromium.org
npm@ can you take a look to see if this is fixed if we build against the latest freetype?

Comment 7 by npm@chromium.org, Jun 13 2017

Status: Fixed (was: ExternalDependency)
This is fixed on Freetype TOT so it should be fixed later, when chromium and PDFium update.
Project Member

Comment 8 by ClusterFuzz, Jun 30 2017

ClusterFuzz has detected this issue as fixed in range 483442:483471.

Detailed report: https://clusterfuzz.com/testcase?key=6157393531764736

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  cf2_blues_init
  cf2_font_setup
  cf2_getGlyphOutline
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=469963:470445
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=483442:483471

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6157393531764736


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 9 by drott@chromium.org, Jun 30 2017

Thanks to Ben who took care of the FreeType roll in https://chromium-review.googlesource.com/c/550379/
Labels: ClusterFuzz-Wrong
Status: Assigned (was: Fixed)
This also needs to be rolled into the PDFium DEPs file. This just happens to be fixed because the fuzzer is built in Chrome.

Comment 11 by npm@chromium.org, Jul 11 2017

Status: Fixed (was: Assigned)
Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment